As it turns out, there are two huge memory-access bugs, Meltdown and Spectre. Meltdown is the one that's been confirmed on Intel chips but not yet known to affect any other processors; Spectre affects Intel, AMD, and ARM. Both are critically serious -- "JavaScript can read your passwords" serious.

The security patches have some potentially huge performance impacts, mostly on file R/W operations. (Servers are going to be affected in a big way, but you shouldn't notice a significant impact on gaming performance.)

It's possible that these bugs have existed for decades, it's unknown whether they've ever been exploited, and if they have, there wouldn't be any evidence in any logs. So yeah you're gonna wanna update your shit, whether said shit is Linux, Windows, MacOS, iOS, Android, BSD, or whatever.

Thad wrote:And there's not really any good alternative. AMD and ARM chips don't use IME, but they've got similar coprocessors with similar proprietary firmware and similar vulnerabilities.

To wit: AMDFLAWS is a list of 9 vulnerabilties affecting AMD's "secure" coprocessor.

This isn't Meltdown/Spectre level; in fact, every one of these vulnerabilities requires that the attacker already have some kind of administrative access to the machine. The article notes that the disclosure by Israeli security research firm CTS-Labs is sensationalistic and potentially shady.

Cory Doctorow wrote:Now, with that all said, there are some very important caveats, which are summed up well in this thread by security researcher Arrigo Triulzi and its replies.

Triulzi points out that the CTS-Labs paper is very short on technical details. Moreover, CTS-Labs' claimed defects are presented as grave in and of themselves, even though they can only be effected by attackers who are already in a position to control the user's system. For example, the MASTERKEY attack requires that the user install an untrusted BIOS update; there are many ways that such an update could allow an attacker to control the user's system, making the MASTERKEY attack somewhat redundant. The RYZENFALL attack requires that unauthorized code be loaded into the secure coprocessor; FALLOUT requires that the attacker gain control over the vendor's signing keys. Any computer that is vulnerable to these attacks is also vulnerable to much better-understood attacks and is by definition insecure, so Triulzi asserts that CTS-Labs is making a lot out of nothing.

I quibble with this: sneaking malicious code into the secure coprocessor is indeed a high barrier for attackers to hurdle -- but the nature of secure computing also makes such an attack particularly grave, in a way that mere physical control and root access to a system without such a coprocessor doesn't approach. The secure copro is designed to resist inspection and alteration (to prevent attackers), and this means that defenders are effectively helpless against such an attack.

But Triulzi's other points are well-made. The CTS-Labs paper makes a bunch of irrelevant references to aerospace, the FTC, and self-driving cars that seem calculated to discredit AMD; it also includes a disclaimer that reveals that a fall in AMD share-prices could benefit CTS-Labs and/or its personnel.

tl;dr CTS-Labs is probably exaggerating the threat of these vulnerabilities, but, like I was saying earlier, coprocessors running proprietary code are inherently insecure. Even if these vulnerabilities aren't as bad as the research firm is making them out to be, we can expect a lot more stories about coprocessor exploits in the years to come.

So it looks like this Cambridge Analytica & Facebook leak is going to have some big effect, not the least of which is EU regulation of social-media (which was already under consideration, but may grow significantly harsher and be implements much quicker now).

Also, CA has been revealed to have high-level ties to Russia (this is my surprised face).

A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

"My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name.

Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system.

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

That person was one of her husband's employees, calling from Seattle.

"We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

Danielle listened to the conversation when it was sent back to her, and she couldn't believe someone 176 miles away heard it too.

I mean, okay, sending the recordings to someone else is one thing. But why were they "joking" that it listens to everything they say? They know how voice commands work, right? It really worries me that people have their houses this wired with technology they don't even understand the fundamentals behind.

"Things we are merrily fucking with while not even understanding the fundamentals behind" is my working definition of the word 'technology'. We stop calling things that once we generally grok the basics. They get promoted to being 'plumbing', 'furniture' or whatever.

As far as I understand, all these updated privacy statement roads lead back to GDPR. For all data that enters or leaves the EU (so all data, basically) the user needs to be aware of what information is being recorded and for what purposes.

It's pretty similar to how early smartphone apps would kinda' have full access to change your phone or none, and now (on android at least) every app needs to tell you what it can control. Which is why Flappy Bird needs to full access to your calls and contacts... so that it can pause if you get a call while playing.

Ultimately it's still the same things you agreed to when you checked a box or hit 'next' and skipped the terms and conditions. Europe turned on the light so you can see the monster, instead of pulling up the sheets and hoping for the best.

I've already been over what a catastrophically bad idea this is, when HP did it.

And I'm not even talking about the DRM. My opinion on whether or not it is okay for a vendor to restrict the way in which you're allowed to use your legally-purchased hardware is well-known and you can take it as read.

This is, somehow, even worse than that. Because it teaches people not to trust security updates.